Internal Routes to Subnets for Ricoh printer
-
I'll get something together to illustrate, but no vlans.
Connectivity is 100% with the older version of the program, but the newest version causes this ONE printer to stop working. We have web, mail, database, apps, IPphones, etc routing through the internal interface - and it's only this ONE printer… Ricoh suggested something about a possible ARP flood or loop... but I think we'd be seeing more issues than the one printer.
-
Well, do a packet capture and filter based on the Ricoh IP address. Load it up in Wireshark and see what's going on.
-
"I'll get something together to illustrate, but no vlans. "
So your running multiple layer 3 over the same layer 2?? If so then yeah that is BORKED!! If you have multiple segments they either need to be completely physically isolated on different layer 2 devices, dumb switches different interfaces. Or you need to do with vlans and smart/managed switches that allow you to create the multiple layer 2 networks that way.
-
OK… I spoke too soon regarding the vlans. Yes, there is a vlan off our layer 3 switch that is the destination for the route via the LAN port on the pfsense router. This all works 100%. I've attached an image.
I did think of wireshark, but due to this link being a production one my testing was limited. I recall having issues, but will revist ASAP.
-
If your using a downstream layer 3 switch, then pfsense should not be routing traffic between these vlans. So this downstream L3 (router) should be connected to pfsense via a transit network. But it seems its connected on this vlan 1 your using for your other devices.
Andy you have a default gateway setup on pfsense for this 10.0.0/23 network?
Your going to run into asymmetrical routing problems in such a setup from what I can make of it.
-
We don't seem to have any routing issues… No dropping packets or anything. Everything from a layer 2 - 3 perspective is fine - even after the upgrade (pings, web, phones, etc) just printing protocols to this one ricoh doesn't work.
Are you saying i should be trunking that link between the pfsense and layer 3 switch (similar to this cisco image attached)?
-
That drawing is not using a downstream router..
You clearly could have asymmetrical routing problem in your shown config.. (see attached)
You have a computer on vlan 1 what is its gateway?? Pfsense or the L3 switch SVI on vlan 1? If your pointing it to the SVI on the switch there would not be asymmetrical when talking to the printer vlan. And if your client is pointing to the L3 as its gateway then pfsense would have ZERO to do with your client talking to your printer. But you would have a problem when tryinig to go to the internet. If your going to run in such a setup where you have hosts on what should be your transit then you need to do host routing.
How a L3 switch would normally be setup would be with transit that has no hosts on it.
So see 2nd attachment. Where you have a transit network that connects pfsense to your L3. Pfsense would be the default route for your L3, and pfsense would have a route for downstream networks on the L3 pointing to the L3 IP in the transit network.
Now your client(s) in this vlan off your L3 would use the SVI of the L3 as their gateway. So in your drawing the 10.0.0.43 IP..
-
Yea… The router was setup prior to any subnets, and we have a lot of 1to1 nating with public IPs, and IP based rules, so the new subnets pretty much just grew off the current config without a major overhaul.
The clients on the 10.0.0.0/23 do use the pfsense as their gw (10.0.0.1).
I do see with your first image what is happening... I have a feeling the Ricoh's don't like the routing for their printing as everything else works... Funny though - the Ricoh works as is, but the pfsense update must change something with routing a bit then.
hmm... I've attached another drawing just for the sake of it. I'll have to read up on the Host Routing you've mentioned... Some of these concepts are new to me.
-
Yeah your going to have asymmetrical routing problem for sure in such a setup.. What you need to do since the clients are using a print server is on the print server create a route statement that says if it wants to talk to 10.1.0/24 to use the L3 svi in the 10.0.0/23 network - ie that 10.0.0.43 IP.
That will remove your asymmetrical routing problem.
But the long term fix would be to connect pfsense to your L3 via a transit network that no hosts are on. This will remove the possibility of any asymmetrical routing conditions.
edit: another way to do it would be remove the L3 doing the routing and just route all your segments at pfsense via either more interfaces and untagged uplinks from your switch or via vlans. This might mean some hairpin traffic for some intervlan traffic but has the added benefit of allow for easy firewall rules between your network segments.
How many total vlans/networks do you have and how many interface available on pfsense? How many ports open on your switch? You could use different uplink for each network/vlan from the switch to pfsense to remove any hairpin traffic between vlans.
-
Hmm… Well - The current pfsense box has only 2 nics, but I've been considering some changes there as well.
Avoiding asymmetrical routing must be painful on networks with more routers. I'm going to have to review our entire setup here as we do have another route on the network here...
Is it possible to use the transit network for multiple routers?
Thanks!
-
Yes u could use a common transit for all your routers
